mirror of
https://github.com/spiral-project/ihatemoney.git
synced 2025-04-28 17:32:38 +02:00
Update security docs for the new feed token
This commit is contained in:
Baptiste Jonglez
zorun
parent
ad5b108ec0
commit
4d3bcf69d3
2 changed files with 26 additions and 14 deletions
|
|
@ -11,18 +11,19 @@ expenses in the first place!
|
||||||
That being said, there are a few mechanisms to limit the impact of a
|
That being said, there are a few mechanisms to limit the impact of a
|
||||||
malicious member and to manage changes in membership (e.g. ensuring that
|
malicious member and to manage changes in membership (e.g. ensuring that
|
||||||
a previous member can no longer access the project). But these
|
a previous member can no longer access the project). But these
|
||||||
mechanisms don\'t prevent a malicious member from breaking things in
|
mechanisms don't prevent a malicious member from breaking things in
|
||||||
your project!
|
your project!
|
||||||
|
|
||||||
## Security model
|
## Security model
|
||||||
|
|
||||||
A project has three main parameters when it comes to security:
|
A project has four main parameters when it comes to security:
|
||||||
|
|
||||||
- **project identifier** (equivalent to a \"login\")
|
- **project identifier** (equivalent to a \"login\")
|
||||||
- **private code** (equivalent to a \"password\")
|
- **private code** (equivalent to a \"password\")
|
||||||
- **token** (cryptographically derived from the private code)
|
- **auth token** (cryptographically derived from the private code)
|
||||||
|
- **feed token** (also cryptographically derived from the private code)
|
||||||
|
|
||||||
Somebody with the private code can:
|
Somebody with the **private code** can:
|
||||||
|
|
||||||
- access the project through the web interface or the API
|
- access the project through the web interface or the API
|
||||||
- add, modify or remove bills
|
- add, modify or remove bills
|
||||||
|
|
@ -31,7 +32,7 @@ Somebody with the private code can:
|
||||||
- change the email address associated to the project
|
- change the email address associated to the project
|
||||||
- change the private code of the project
|
- change the private code of the project
|
||||||
|
|
||||||
Somebody with the token can manipulate the project through the API to do
|
Somebody with the **auth token** can manipulate the project through the API to do
|
||||||
essentially the same thing:
|
essentially the same thing:
|
||||||
|
|
||||||
- access the project
|
- access the project
|
||||||
|
|
@ -40,10 +41,13 @@ essentially the same thing:
|
||||||
- change the email address associated to the project
|
- change the email address associated to the project
|
||||||
- change the private code of the project
|
- change the private code of the project
|
||||||
|
|
||||||
The token can also be used to build \"invitation links\". These links
|
The auth token can also be used to build "invitation links". These links
|
||||||
allow to login on the web interface without knowing the private code,
|
allow to login on the web interface without knowing the private code,
|
||||||
see below.
|
see below.
|
||||||
|
|
||||||
|
Somebody with the **feed token** can only access a read-only view of the project
|
||||||
|
through a RSS feed (at `/<project_id>/feed/<token>.xml`).
|
||||||
|
|
||||||
## Giving access to a project
|
## Giving access to a project
|
||||||
|
|
||||||
There are two main ways to give access to a project to a new person:
|
There are two main ways to give access to a project to a new person:
|
||||||
|
|
@ -57,25 +61,33 @@ The second method is interesting because it does not reveal the private
|
||||||
code. In particular, somebody that is logged-in through the invitation
|
code. In particular, somebody that is logged-in through the invitation
|
||||||
link will not be able to change the private code, because the web
|
link will not be able to change the private code, because the web
|
||||||
interface requires a confirmation of the existing private code to change
|
interface requires a confirmation of the existing private code to change
|
||||||
it. However, a motivated person could extract the token from the
|
it. However, a motivated person could extract the auth token from the
|
||||||
invitation link, use it to access the project through the API, and
|
invitation link, use it to access the project through the API, and
|
||||||
change the private code through the API.
|
change the private code through the API.
|
||||||
|
|
||||||
## Removing access to a project
|
## Removing access to a project
|
||||||
|
|
||||||
If a person should no longer be able to access a project, the only way
|
If a person should no longer be able to access a project, the only way
|
||||||
is to change the private code.
|
is to change the private code for the whole project.
|
||||||
|
|
||||||
This will also automatically change the token: old invitation links
|
This will prevent anybody from logging in with the old private code.
|
||||||
won\'t work anymore, and anybody with the old token will no longer be
|
However, anybody with an existing session cookie will still have
|
||||||
able to access the project through the API.
|
access to the project. This is a [known issue](https://github.com/spiral-project/ihatemoney/issues/857)
|
||||||
|
that should be fixed.
|
||||||
|
|
||||||
|
Changing the private code will automatically change the auth token:
|
||||||
|
old invitation links won't work anymore, and anybody with the old token
|
||||||
|
will no longer be able to access the project through the API.
|
||||||
|
|
||||||
|
This will also automatically change the feed token, so that existing
|
||||||
|
links to the RSS feed for the project will no longer work.
|
||||||
|
|
||||||
## Recovering access to a project
|
## Recovering access to a project
|
||||||
|
|
||||||
If the private code is no longer known, the creator of the project can
|
If the private code is no longer known, the creator of the project can
|
||||||
still recover access. He/she must have provided an email address when
|
still recover access. He/she must have provided an email address when
|
||||||
creating the project, and Ihatemoney can send a reset link to this email
|
creating the project, and Ihatemoney can send a reset link to this email
|
||||||
address (classical \"forgot your password\" functionality).
|
address (classical "forgot your password" functionality).
|
||||||
|
|
||||||
Note, however, that somebody with the private code could have changed
|
Note, however, that somebody with the private code could have changed
|
||||||
the email address in the settings at any time.
|
the email address in the settings at any time.
|
||||||
|
|
|
||||||
|
|
@ -479,8 +479,8 @@ class Project(db.Model):
|
||||||
:param token_type: Either "auth" for authentication (invalidated when project code changed),
|
:param token_type: Either "auth" for authentication (invalidated when project code changed),
|
||||||
or "reset" for password reset (invalidated after expiration),
|
or "reset" for password reset (invalidated after expiration),
|
||||||
or "feed" for project feeds (invalidated when project code changed)
|
or "feed" for project feeds (invalidated when project code changed)
|
||||||
:param project_id: Project ID. Used for token_type "auth" to use the password as serializer
|
:param project_id: Project ID. Used for token_type "auth" and "feed" to use the password
|
||||||
secret key.
|
as serializer secret key.
|
||||||
:param max_age: Token expiration time (in seconds). Only used with token_type "reset"
|
:param max_age: Token expiration time (in seconds). Only used with token_type "reset"
|
||||||
"""
|
"""
|
||||||
loads_kwargs = {}
|
loads_kwargs = {}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue